Network out following ComboFix Run -- Ideas Needed for Recovering

Discussion in 'Malware Help (A Specialist Will Reply)' started by Positronicus, Dec 26, 2007.

  1. Positronicus

    Positronicus Private E-2

    I ran ComboFix (trying to remove a hijacker). It ran for half an hour or so, then the power went out. ComboFix reported completeing stage 26 or something like that. All disk activity seemed to have stopped by then.

    When power came back, computer booted fine but Windows complained that it could not verify the license, nor could it communicate to the internet. I booted into safe mode and ran system restore to the checkpoint created by combofix. Then I verified the license over the phone, and was able to log on. All the user files seem fine.

    But I still still can't connect to the net. When I run "ipconfig" it fails with "unable to query host name". Ping 127.0.0.1 fails with "unable to contact IP driver, error code 2,"

    In C:\Windows\system32\drivers I noticed that ComboFix has aparently changed tcpip.sys and has also created a new driver, ComboFix.sys. However, replacing the tcpip.sys file with an older version did not correct the problem.

    Windows file protection complains that "files that are required for Windows to run properly have been replaced by unrecognized versions", and asks that I insert an XP disk (which unfortunately I don't have.)

    What's going on? Any suggestions?
     
    Positronicus, Dec 26, 2007
    #1
  2. Positronicus

    Positronicus Private E-2

    Resolved (was Network out following ComboFix Run...)

    Following the idea that TCP/IP was damaged, I did the following (not sure which step is critical),

    1. Replaced modified tcpip.sys with last known good version.

    2. Opened network control panel, ran "fix connection"

    3. Started DHCP server by hand. For some reason it was off.

    That worked!
     
    Positronicus, Dec 26, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    ComboFix may have removed your tcpip.sys file due to the fact that it was infected. There are quite a few cases of this file being infected recently. It is all part of malware's normal methodology of trying to making removing malware more difficult.

    Are you still having problems that you need help with? I would not run ComboFix again at this point just incase you still have infections. It could result in the same complications. If you are still having malware issues, skip the ComboFix part of the READ AND RUN ME and do the other steps. But if you do have a ComboFix log on your PC from the previous run, it would be interesting to see it.
     
    chaslang, Dec 26, 2007
    #3
  4. Positronicus

    Positronicus Private E-2

    Thank you!

    I'm completely spooked about the stability of the system. It appears to be ok, but OMG, what the heck did ComboFix do? I had to re-authorize Windows, for gosh sakes, restart a service by hand, and fix a corrupted TCP/IP stack that's been fine for 5 years. What the heck else is wrong? I can't even figure out how to reset the clock format back to AM/PM. Is ComboFix known to be a safe program? I'm scared to run it again.

    The C:\ComboFix.txt file is attached. Thank you for your kind attention.
     

    Attached Files:

    Positronicus, Dec 26, 2007
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It was not ComboFix. It was the loss of powere while runnig ComboFix and anything else that may have been running. Based on your log it was actually detecting and removing a load of malware and based on the date of your tcpip.sys file showing in the ComboFix log, the file was more than likely infected but ComboFix did not delete it. You Windows OS may have been responsible for that after the loss of power. In reality it was your infections couple with the loss of power while running the scans that cause you these problems. You really should complete the rest of the READ AND RUN ME. Chances are very high that you are still infected.

    Very simple!

    You can fix your clock from Control Panel ->Regional and Language Options and then on the Regional Options tab click the Customize button then on the next form click the Time tab. Then change the Time format to what you want. It explains there what the lower case and upper case letters will do. Upper case H is giving you 24 hour clock settings.


    Yes! Tens of thousands of people run it daily to help remove malware. As I stated your issue was what infections you had couple with the power loss.

    You don't need to. But you really should complete the rest of the READ AND RUN ME. Chances are very high that you are still infected. Also if Symantec is your antivirus, it has been corrupted by your malware attacker. It is not even loading properly anymore.
     
    chaslang, Dec 27, 2007
    #5
  6. Positronicus

    Positronicus Private E-2

    Please forgive my lame newbieness, but ... the what? Where is the "READ AND RUN ME". Is that part of ComboFix?

    New problem: The system was working fine yesterday, but when I started today, the networking was gone again. Running windows network diagnostics I get ...

    WinSock status
    info error attempting to validate the winsock base providers: 2
    error Not all base service provider entries could be found in the winsock catalog. A reset is needed.
    info Redirecting user to support call

    I looked for these messages at support.microsoft.com, and the one relevant article suggested running "netsh winsock reset" then restart. Unfortunately that did not fix the problem.
     
    Positronicus, Dec 27, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hmmmmm??? Why were you attaching a ComboFix log if you were not running the READ AND RUN ME? The READ AND RUN ME is a sticky thread that appears on every single page in the Malware Forum. It is rather hard not to notice the stickies that you should be reading before posting. Take a look in the forum and you will see a bunch of stickies (also called pinned) threads. One is this: READ & RUN ME FIRST. Malware Removal Guide You need follow those instructions. ComboFix is not a comprehensive malware scanner or cleaning tool. The READ & RUN ME is.


    What did you do yesterday?

    You can try running the below:

    XP TCP/IP Repair
     
    chaslang, Dec 28, 2007
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds